intercept a dns port for one computer

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sat Jan 20, 2018 2:43    Post subject: intercept a dns port for one computer Reply with quote
Good afternoon

I have setup opendns on my router using the following instructions https://www.dd-wrt.com/wiki/index.php/OpenDNS and I want to allow one computer to dictate its own dns's.

My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

I have looked at these rules
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

and I am still unsure how to set up a rule so that my computer can use its own dns settings.
Sponsor
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 723
Location: Brisbane, Australia

PostPosted: Sat Jan 20, 2018 5:48    Post subject: Re: intercept a dns port for one computer Reply with quote
cdsonic wrote:
Good afternoon

I have setup opendns on my router using the following instructions https://www.dd-wrt.com/wiki/index.php/OpenDNS and I want to allow one computer to dictate its own dns's.

My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

I have looked at these rules
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

and I am still unsure how to set up a rule so that my computer can use its own dns settings.


Hi,

In this command and the similar udp command
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
This bit
-s 192.168.1.128/25
means that the rule applies to packets coming from all devices with an IP address anywhere between 192.168.1.128 and 192.168.1.254
(Google “CIDR notation” for more information no how to specify a range of addresses)

If your DHCP server assigns all IP addresses in this range, all devices with a DHCP assigned IP address will be restricted.

To make an exception for your own device, go to the DHCP server settings on your router and add an IP reserved address for your device that is in between 192.168.1.1 and 192.168.1.127 (That is not between 192.168.1.128 and 192.168.1.254) Save the DHCP settings and renew the DHCP lease on your device. (Cycle power if you do not know how)

Cheers.
jasonkruys
DD-WRT User


Joined: 13 Dec 2013
Posts: 90

PostPosted: Sat Jan 20, 2018 12:12    Post subject: Reply with quote
Could I use the same command to make a specific device on a static IP use a specific DNS? I have an IPTV device that I want to point specifically at my ISP DNS, whereas everything else I am forcing to use Open VPN.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sun Jan 21, 2018 12:52    Post subject: Reply with quote
Thank jxm for your reply

I have a couple of questions around your answer
If my son was to set a static ip less than 192.168.1.128 an put in say googles dns does that mean he would in theory be able to by pass the OpenDNS settings on the router, if the second set of rules are in place.
If so can I do the following
Give the one computer a ip of 192.168.1.2 and change the rule to 192.168.1.3/25 ?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2981
Location: UK, London, just across the river..

PostPosted: Mon Jan 22, 2018 8:07    Post subject: Reply with quote
to force router's DNS settings use only, go to Basic Settings>Network Address Server Settings (DHCP)>turn on Forced DNS Redirection save apply, restart...

in that case your son will not be able to use any other DNS
even if try to bypass it on PC level Wink

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41459 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 723
Location: Brisbane, Australia

PostPosted: Mon Jan 22, 2018 9:02    Post subject: Reply with quote
cdsonic wrote:
Thank jxm for your reply

I have a couple of questions around your answer
If my son was to set a static ip less than 192.168.1.128 an put in say googles dns does that mean he would in theory be able to by pass the OpenDNS settings on the router, if the second set of rules are in place.
If so can I do the following
Give the one computer a ip of 192.168.1.2 and change the rule to 192.168.1.3/25 ?


The /25 in the CIDR addressing mode means that the subnet mask is the first 25 bits of the IP address.

So /25 means the subnet is split into two blocks of 128 addresses, starting at 0 and 127. The first block is 192.168.1.0/25 and the second is 192.168.1.128/25

Note that the first 25 bits of the address 192.168.1.3 is equivalent to 192.168.1.0, so 192.168.1.3/25 refers to 128 addresses starting at 192.168.1.0

If you want to refer to fewer addresses, increase the final number. To refer to just one address you can use 192.168.1.3/32. The suffix /32 is equivalent to a subnet mask of 255.255.255.255 and it refers to exactly one IP address

If you use the suffix /31 this specifies a block of two addresses, and the first address in each block will be a multiple of two. There are 128 blocks of 2, obviously. The suffix /30 specifies a block of four addresses, and the first of them will be a multiple of four, so 64 blocks. If you continue subtracting 1 and multiplying by two you will get to /24 being a block of 256 addresses. Familiar?

It is not hard, really, just confusing for the uninitiated. But with a little planning you can greatly simplify your firewall and routing rules (and speed up the processing of them)

Hope this helps.

Cheers.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Thu Jan 25, 2018 10:00    Post subject: Reply with quote
Thanks jxm

Alozaros

I still need one device to have a different set of DNS addresses.

I am just trying to work out how to force every device connected to use OpenDNS DNS's and allow one device to use a different DNS that I set on it
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2981
Location: UK, London, just across the river..

PostPosted: Thu Jan 25, 2018 14:10    Post subject: Reply with quote
https://www.dd-wrt.com/wiki/index.php/Parental_control
kind of....

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41459 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41517 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Broadcom
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5196
Location: Akershus, Norway

PostPosted: Fri Jan 26, 2018 12:53    Post subject: Reply with quote
Use "-s !<ip address>" i.e -s !192.168.1.150 in the iptables rule, where ! mean not.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sat Jan 27, 2018 2:15    Post subject: Reply with quote
Alozaros, Thanks for the info so far

I set up every thing as per https://www.dd-wrt.com/wiki/index.php/Parental_control

but I have run into one small problem, I hooked up a windows based PC let it get its IP via DHCP then turned on a VPN app and it went straight past the OpenDNS settings
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5196
Location: Akershus, Norway

PostPosted: Sat Jan 27, 2018 14:57    Post subject: Reply with quote
The router cannot intercept dns traffic inside the vpn tunnel.
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 492

PostPosted: Sat Jan 27, 2018 15:21    Post subject: Reply with quote
I personally have never tried them but on Security->VPN Passthrough, you could disable these. I am sure that one could come up with a way around them but it will limit some.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4833
Location: Texas

PostPosted: Sat Jan 27, 2018 16:03    Post subject: Reply with quote
cdsonic wrote:
My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings

I wouldn't get too invested in stopping him if he is the determined type ... just sayin
If the boy is determined to go where he wants he will just use DNScrypt on his computer or phone or use a VPN provider
or setup his own ovpn server on a buddies router ....
Twisted Evil
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 492

PostPosted: Sat Jan 27, 2018 22:03    Post subject: Reply with quote
mrjcd wrote:
cdsonic wrote:
My son's computers are hooked up to Opendns and I am using the following rules to stop him changing his dns settings

I wouldn't get too invested in stopping him if he is the determined type ... just sayin
If the boy is determined to go where he wants he will just use DNScrypt on his computer or phone or use a VPN provider
or setup his own ovpn server on a buddies router ....
Twisted Evil


After thinking about it and coming back to post but mrjcd beat me to it... he has physical/admin access to the computer and so many things are possible. Looking into locking down the devices is the better option.
cdsonic
DD-WRT Novice


Joined: 30 Jun 2014
Posts: 22

PostPosted: Sun Jan 28, 2018 0:11    Post subject: Reply with quote
Thanks all for your input.

My son likes YouTube so he will probably get around it eventually, but at least there is some protection in place in the short term.

I have one other issue but I will start a new topic for it.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum